Prioritizing Risks Using Hazardous Vulnerability Assessment (HVA)


Healthcare organizations have a variety of risks: operational, clinical, financial, human capital, strategic, technological, legal and/or regulatory, as well as hazards. Identifying and prioritizing your organizational risks allows for a robust response plan. So, you may ask, “Where do we start?” Using the enterprise risk domains, the organization creates a risk list. There are many ways to rank or prioritize identified enterprise risks. Risk ranking, risk scores, heat maps, and risk registers are all examples of tools that healthcare organizations frequently use. For simplification, hazardous vulnerability assessment (HVA) will be used throughout this discussion.

Risk Identification

Using a collaborative and multidisciplinary team approach to identifying key enterprise risks is the first step. In preparation for your first meeting, have your content experts collate their lists. For example, the clinical representative such as the Director of Nursing or Risk Manager will have the top 25 clinical risks, the Chief Financial Officer brings the top 25 financial risks, and the human relations department brings the top 25 human capital risks.

As a group, decide on the number of risks you will evaluate for each of the eight enterprise risk domains. This number can be as small or large as your organization likes. When deciding on your list take into consideration the breadth and scope of a risk mitigation plan for each of the identified risks.

Prioritizing Risks

For each item on your organizational list you will need to create a score. The components of the HVA score are likelihood or frequency and impact. Likelihood or frequency is scored on a 1-5 scale with 1 being rare, 2 unlikely, 3 potential, 4 likely, and 5 certain or occurring. An example of likelihood or frequency scoring is patient falls which many organizations would rank as a 4, likely to occur in the upcoming year. Impact can be measured in different ways. The most common measures of impact are financial and harm.


1. Insignificant no property damage or cash
2. Minor or less than $10,000
3. Moderate $10,000-$100,000
4. Major $100,000 -$250,000
5. Critical >$250,000 loss of property/business


1. None – reached patient no harm
2. Temporary Harm -Bodily or psychological injury, but likely not permanent
3. Permanent Harm -Lifelong bodily or psychological injury or increased susceptibility to disease
4. Severe Permanent Harm -Severe lifelong bodily or psychological injury or disfigurement
5. Death-Death at the time of the assessment

Developing a Plan

The next step in the risk management process is to develop your enterprise risk plan. When preparing to develop the plan it is important to know the risk culture and appetite of your organization. Each risk domain may have a different risk culture. When evaluating each domain ask yourself and the domain owner, “What level of risk is acceptable in the pursuit of organizational goal?” Next, determine the risk strategy for each of the ranked risks. Risk strategy includes a decision to accept, mitigate, or avoid the risk.

Once your organizational risk list is completed and ranked in order of highest risk to lowest, the group can then focus on the risk management plan, development of action items, and overall goals.
Never forget that risk is in constant flux and frequent evaluation and planning is needed. Risks, scores, rankings, and plans may change. This is not a one and done process, it is a continuously moving goal.

If your organization has risk management related questions or needs, contact Antum Risk at



Share this post

Recent Posts

Post: Prioritizing Risks Using Hazardous Vulnerability Assessment (HVA)

Antum Risk

Antum Risk

Antum Risk provides a variety of risk management services to the healthcare industry. These include group self-insurance programs for workers’ compensation, professional & general liability, and medical stop-loss. We also provide customized consulting solutions to meet your risk management needs.